From: FederalNewsRadio.com 1500 AM
By Jason Miller
With Congress in a stalemate over cyber legislation, a different path to updating the Federal Information Security Management Act (FISMA) is available.
A group of former federal cyber experts is recommending three major changes to Office of Management and Budget Circular A-130. The goal is to codify continuous monitoring, the role of the Homeland Security Department in overseeing the operational aspects of FISMA and the definitions of national security systems and major IT systems.
Current efforts only ‘marginally effective’
The cadre of experts — Alan Paller of the SANS Institute; Jim Lewis of the Center for Strategic and International Studies; Karen Evans, director of the U.S. Cyber Challenge; Dan Chenok, executive director for the IBM Center for the Business of Government; and Frank Reeder, director of the Center for Internet Security — released a white papertoday detailing their suggestions for improving A-130.
“OMB didn’t request us to do this,” said Karen Evans, a former OMB administrator for e-government and IT in an interview with Federal News Radio. “If you want to make changes in cybersecurity and legislation is not going to happen — that was the hypothesis — what kind of recommendations could be done today in absence of legislation that would really move the ball forward? It emanates from A-130.”
Evans, Reeder and Chenok are former OMB officials, while Paller and Lewis are outspoken critics of the long-time approach to FISMA. The group has been working on the A-130 recommendations for the better part of a year.
House and Senate bills have tried to update FISMA to include the requirement to continuously monitor agency networks for cyber threats and vulnerabilities. Only the Senate’s version of the legislation would put into law DHS’s role in FISMA, as described by OMB’s July 2010 memo.
The House version of the FISMA updates would reestablish OMB’s role in developing and overseeing cyber policy, essentially reversing the White House’s memo.
No update since 2000
Evans said their recommendations would be for A-130 to follow the Senate and the White House’s lead in regards to DHS’s role.
Evans said that is why changing A-130 to require continuous monitoring and cement the DHS role will address the discrepancy in what IGs and CIOs follow.
“The way the policy world works, because we may not necessarily get legislative changes, and how can you make a big change or make an impact or sustain that impact — so it’s statute, then OMB circular then OMB policy memos,” she said. “If you want IGs, for example, to really take continuous monitoring seriously, and sustain it and build an evaluation program around it, they go to the circular. They’ll look at the statute, the circular and then they look at the policy memos. If it’s only in policy memos then it’s a little bit harder to get it institutionalized through that fabric in the civilian agencies. That’s why it’s critical for the circular to be updated to reflect that.”
One of the biggest changes the group is proposing is to change the definition of a national security system.
Ruffle some feathers
Reeder said that may “break some china” in the federal government.
The paper said the historic distinction between national security and non-national security systems is “an anachronism,” and creates a gap attackers could exploit when data moves between the two systems.
The experts recommend OMB base its cyber policy on risk principles detailed in its 2004 memo on authentication.
Along those same lines, the experts believe OMB also needs to change the definition of a major information system.
“We recommend a new definition to continue to allow flexibility for agencies, but also allow for a common understanding by all parties of what goes into a system,” the paper stated. “The revised definition should be consistent with the Clinger-Cohen Act and FISMA definitions for information systems, which is ‘a discrete set of information resources for the collection, processing, maintenance, use, sharing, dissemination or disposition of information.'”
Evans said the goal is to look at the type of information an agency is managing and what is the risk to their mission if it gets stolen or changed or deleted.
She added too often the data discussion gets lost in the need to protect the system. For example, a system or data that are non-sensitive for the Interior Department may be considered sensitive or even classified for the CIA.
“Because of the type of information you have to look at it and say, ‘Is this really a national security systems or a non-national security system? Or is it really about securing the information at a higher level?'” she said. “You don’t have to duplicate that one layer of review.”
Evans said the white paper also recommends A-130 adopt the security-capability maturity model to measure progress toward achieving acceptable risk levels.
“That model would allow for flexibility if one agency isn’t as mature in its processes or the people are going through a transition, it would allow for IGs to baseline it on an agency by agency basis, and then measure the progress,” she said. “You could see who is making progress and along what lines.”
The group of experts reached out to OMB and the CIO Council as they developed the white paper.
“We hope … OMB and DHS will use what they feel is aligned with their priorities so they can make some of these changes,” she said.
A request to OMB for comment on the recommendations was not returned.
Leave a Reply